azorult | e772ef11131412c53d06e2aa43a4a7580b390b73dcca65344aa9db3585ad079d

Analysis

max time kernel
54s
max time network
60s
platform
windows10_x64
resource
win10v20201028
submitted
18-03-2021 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Microsoft_Windows_10_keygen_by_KeygenNinja.exe
Size

10.6MB
MD5

f986b0da579828fa492041a33862a74d
SHA1

79ce5993da004a0a96609b9f025befb7bf391009
SHA256

df7a1a5d4e81f076198ed56b9bae34bf8f907e300d22cd8681f910472609422e
SHA512

6148127921cbe28135e002f6d0f72f717ffcf980cfd8faaea1d73a813123884a996526925cf05fefb288810b8cfd9065ed618ac98ab2b5d63bd637ce55fbf519

Score

10^/10

azorult pony bootkit discovery evasion infostealer macro persistence rat spyware stealer trojan xlm

Malware Config

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Nirsoft 4 IoCs

resource	yara_rule
behavioral1/files/0x000600000001ab8b-92.dat	Nirsoft
behavioral1/files/0x000600000001ab8b-93.dat	Nirsoft
behavioral1/files/0x000200000001abb0-105.dat	Nirsoft
behavioral1/files/0x000200000001abb0-104.dat	Nirsoft

Executes dropped EXE 14 IoCs

pid	Process
3688	intro.exe
3008	keygen-pr.exe
1420	keygen-step-1.exe
2952	keygen-step-3.exe
3612	keygen-step-4.exe
3576	key.exe
2724	002.exe
2800	key.exe
908	Setup.exe
3108	setup.exe
3656	aliens.exe
3520	jg2_2qua.exe
500	08B935EBAFB9032A.exe
3588	08B935EBAFB9032A.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

resource	yara_rule
behavioral1/files/0x000300000001ab89-68.dat	office_xlm_macros

Loads dropped DLL 4 IoCs

pid	Process
908	Setup.exe
908	Setup.exe
908	Setup.exe
3692	MsiExec.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg2_2qua.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	aliens.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3656	aliens.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3576 set thread context of 2800	3576	key.exe	91

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\k42a4i0zb2uk\aliens.exe	setup.exe
File opened for modification	C:\Program Files (x86)\k42a4i0zb2uk\aliens.exe	setup.exe
File opened for modification	C:\Program Files (x86)\k42a4i0zb2uk	setup.exe
File created	C:\Program Files (x86)\k42a4i0zb2uk\__tmp_rar_sfx_access_check_259331875	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 10 IoCs

installer

resource	yara_rule
behavioral1/files/0x000300000001a0e3-60.dat	nsis_installer_1
behavioral1/files/0x000300000001a0e3-60.dat	nsis_installer_2
behavioral1/files/0x000300000001a0e3-61.dat	nsis_installer_1
behavioral1/files/0x000300000001a0e3-61.dat	nsis_installer_2
behavioral1/files/0x00030000000197fe-70.dat	nsis_installer_1
behavioral1/files/0x00030000000197fe-70.dat	nsis_installer_2
behavioral1/files/0x00030000000197fe-71.dat	nsis_installer_1
behavioral1/files/0x00030000000197fe-71.dat	nsis_installer_2
behavioral1/files/0x00030000000197fe-74.dat	nsis_installer_1
behavioral1/files/0x00030000000197fe-74.dat	nsis_installer_2

Kills process with taskkill 1 IoCs

evasion

pid	Process
64	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	aliens.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	aliens.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
3764	PING.EXE
3216	PING.EXE
3720	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3576	key.exe
3576	key.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	3576	key.exe
Token: SeTcbPrivilege	3576	key.exe
Token: SeChangeNotifyPrivilege	3576	key.exe
Token: SeCreateTokenPrivilege	3576	key.exe
Token: SeBackupPrivilege	3576	key.exe
Token: SeRestorePrivilege	3576	key.exe
Token: SeIncreaseQuotaPrivilege	3576	key.exe
Token: SeAssignPrimaryTokenPrivilege	3576	key.exe
Token: SeImpersonatePrivilege	3576	key.exe
Token: SeTcbPrivilege	3576	key.exe
Token: SeChangeNotifyPrivilege	3576	key.exe
Token: SeCreateTokenPrivilege	3576	key.exe
Token: SeBackupPrivilege	3576	key.exe
Token: SeRestorePrivilege	3576	key.exe
Token: SeIncreaseQuotaPrivilege	3576	key.exe
Token: SeAssignPrimaryTokenPrivilege	3576	key.exe
Token: SeImpersonatePrivilege	3576	key.exe
Token: SeTcbPrivilege	3576	key.exe
Token: SeChangeNotifyPrivilege	3576	key.exe
Token: SeCreateTokenPrivilege	3576	key.exe
Token: SeBackupPrivilege	3576	key.exe
Token: SeRestorePrivilege	3576	key.exe
Token: SeIncreaseQuotaPrivilege	3576	key.exe
Token: SeAssignPrimaryTokenPrivilege	3576	key.exe
Token: SeImpersonatePrivilege	3576	key.exe
Token: SeTcbPrivilege	3576	key.exe
Token: SeChangeNotifyPrivilege	3576	key.exe
Token: SeCreateTokenPrivilege	3576	key.exe
Token: SeBackupPrivilege	3576	key.exe
Token: SeRestorePrivilege	3576	key.exe
Token: SeIncreaseQuotaPrivilege	3576	key.exe
Token: SeAssignPrimaryTokenPrivilege	3576	key.exe
Token: SeImpersonatePrivilege	3576	key.exe
Token: SeTcbPrivilege	3576	key.exe
Token: SeChangeNotifyPrivilege	3576	key.exe
Token: SeCreateTokenPrivilege	3576	key.exe
Token: SeBackupPrivilege	3576	key.exe
Token: SeRestorePrivilege	3576	key.exe
Token: SeIncreaseQuotaPrivilege	3576	key.exe
Token: SeAssignPrimaryTokenPrivilege	3576	key.exe
Token: SeManageVolumePrivilege	3520	jg2_2qua.exe
Token: SeShutdownPrivilege	3796	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3796	msiexec.exe
Token: SeSecurityPrivilege	752	msiexec.exe
Token: SeCreateTokenPrivilege	3796	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3796	msiexec.exe
Token: SeLockMemoryPrivilege	3796	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3796	msiexec.exe
Token: SeMachineAccountPrivilege	3796	msiexec.exe
Token: SeTcbPrivilege	3796	msiexec.exe
Token: SeSecurityPrivilege	3796	msiexec.exe
Token: SeTakeOwnershipPrivilege	3796	msiexec.exe
Token: SeLoadDriverPrivilege	3796	msiexec.exe
Token: SeSystemProfilePrivilege	3796	msiexec.exe
Token: SeSystemtimePrivilege	3796	msiexec.exe
Token: SeProfSingleProcessPrivilege	3796	msiexec.exe
Token: SeIncBasePriorityPrivilege	3796	msiexec.exe
Token: SeCreatePagefilePrivilege	3796	msiexec.exe
Token: SeCreatePermanentPrivilege	3796	msiexec.exe
Token: SeBackupPrivilege	3796	msiexec.exe
Token: SeRestorePrivilege	3796	msiexec.exe
Token: SeShutdownPrivilege	3796	msiexec.exe
Token: SeDebugPrivilege	3796	msiexec.exe
Token: SeAuditPrivilege	3796	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3796	msiexec.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2724	002.exe
2724	002.exe
908	Setup.exe
3108	setup.exe
3656	aliens.exe
500	08B935EBAFB9032A.exe
3588	08B935EBAFB9032A.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 744	3584	Microsoft_Windows_10_keygen_by_KeygenNinja.exe	77
PID 3584 wrote to memory of 744	3584	Microsoft_Windows_10_keygen_by_KeygenNinja.exe	77
PID 3584 wrote to memory of 744	3584	Microsoft_Windows_10_keygen_by_KeygenNinja.exe	77
PID 744 wrote to memory of 3688	744	cmd.exe	80
PID 744 wrote to memory of 3688	744	cmd.exe	80
PID 744 wrote to memory of 3688	744	cmd.exe	80
PID 744 wrote to memory of 3008	744	cmd.exe	81
PID 744 wrote to memory of 3008	744	cmd.exe	81
PID 744 wrote to memory of 3008	744	cmd.exe	81
PID 744 wrote to memory of 1420	744	cmd.exe	82
PID 744 wrote to memory of 1420	744	cmd.exe	82
PID 744 wrote to memory of 1420	744	cmd.exe	82
PID 744 wrote to memory of 2952	744	cmd.exe	83
PID 744 wrote to memory of 2952	744	cmd.exe	83
PID 744 wrote to memory of 2952	744	cmd.exe	83
PID 2952 wrote to memory of 4036	2952	keygen-step-3.exe	84
PID 2952 wrote to memory of 4036	2952	keygen-step-3.exe	84
PID 2952 wrote to memory of 4036	2952	keygen-step-3.exe	84
PID 744 wrote to memory of 3612	744	cmd.exe	86
PID 744 wrote to memory of 3612	744	cmd.exe	86
PID 744 wrote to memory of 3612	744	cmd.exe	86
PID 4036 wrote to memory of 3764	4036	cmd.exe	87
PID 4036 wrote to memory of 3764	4036	cmd.exe	87
PID 4036 wrote to memory of 3764	4036	cmd.exe	87
PID 3008 wrote to memory of 3576	3008	keygen-pr.exe	88
PID 3008 wrote to memory of 3576	3008	keygen-pr.exe	88
PID 3008 wrote to memory of 3576	3008	keygen-pr.exe	88
PID 3612 wrote to memory of 2724	3612	keygen-step-4.exe	89
PID 3612 wrote to memory of 2724	3612	keygen-step-4.exe	89
PID 3612 wrote to memory of 2724	3612	keygen-step-4.exe	89
PID 3576 wrote to memory of 2800	3576	key.exe	91
PID 3576 wrote to memory of 2800	3576	key.exe	91
PID 3576 wrote to memory of 2800	3576	key.exe	91
PID 3576 wrote to memory of 2800	3576	key.exe	91
PID 3576 wrote to memory of 2800	3576	key.exe	91
PID 3576 wrote to memory of 2800	3576	key.exe	91
PID 3576 wrote to memory of 2800	3576	key.exe	91
PID 3576 wrote to memory of 2800	3576	key.exe	91
PID 3576 wrote to memory of 2800	3576	key.exe	91
PID 3576 wrote to memory of 2800	3576	key.exe	91
PID 3576 wrote to memory of 2800	3576	key.exe	91
PID 3576 wrote to memory of 2800	3576	key.exe	91
PID 3576 wrote to memory of 2800	3576	key.exe	91
PID 3576 wrote to memory of 2800	3576	key.exe	91
PID 3576 wrote to memory of 2800	3576	key.exe	91
PID 3612 wrote to memory of 908	3612	keygen-step-4.exe	95
PID 3612 wrote to memory of 908	3612	keygen-step-4.exe	95
PID 3612 wrote to memory of 908	3612	keygen-step-4.exe	95
PID 908 wrote to memory of 3108	908	Setup.exe	96
PID 908 wrote to memory of 3108	908	Setup.exe	96
PID 908 wrote to memory of 3108	908	Setup.exe	96
PID 3108 wrote to memory of 3656	3108	setup.exe	97
PID 3108 wrote to memory of 3656	3108	setup.exe	97
PID 3108 wrote to memory of 3656	3108	setup.exe	97
PID 3612 wrote to memory of 3520	3612	keygen-step-4.exe	98
PID 3612 wrote to memory of 3520	3612	keygen-step-4.exe	98
PID 3612 wrote to memory of 3520	3612	keygen-step-4.exe	98
PID 3656 wrote to memory of 3796	3656	aliens.exe	99
PID 3656 wrote to memory of 3796	3656	aliens.exe	99
PID 3656 wrote to memory of 3796	3656	aliens.exe	99
PID 3656 wrote to memory of 500	3656	aliens.exe	100
PID 3656 wrote to memory of 500	3656	aliens.exe	100
PID 3656 wrote to memory of 500	3656	aliens.exe	100
PID 3656 wrote to memory of 3588	3656	aliens.exe	101

C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_10_keygen_by_KeygenNinja.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_10_keygen_by_KeygenNinja.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exe
    intro.exe 1O5ZF
    3⤵
    - Executes dropped EXE
    PID:3688
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3576
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        Executes dropped EXE
        
        PID:2800
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:1420
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4036
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:3764
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3612
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\002.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\002.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:908
    - - C:\Users\Admin\AppData\Local\Temp\sibD22.tmp\0\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sibD22.tmp\0\setup.exe" -s
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3108
      - C:\Program Files (x86)\k42a4i0zb2uk\aliens.exe
        
        "C:\Program Files (x86)\k42a4i0zb2uk\aliens.exe"
        6⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies system certificate store
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
        7⤵
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\08B935EBAFB9032A.exe
        
        C:\Users\Admin\AppData\Local\Temp\08B935EBAFB9032A.exe 0011 installp1
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:500
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        8⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Roaming\1616099004881.exe
        
        "C:\Users\Admin\AppData\Roaming\1616099004881.exe" /sjson "C:\Users\Admin\AppData\Roaming\1616099004881.txt"
        8⤵
        
        PID:3132
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        8⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Roaming\1616099006538.exe
        
        "C:\Users\Admin\AppData\Roaming\1616099006538.exe" /sjson "C:\Users\Admin\AppData\Roaming\1616099006538.txt"
        8⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\08B935EBAFB9032A.exe
        
        C:\Users\Admin\AppData\Local\Temp\08B935EBAFB9032A.exe 200 installp1
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        8⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        9⤵
        Kills process with taskkill
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\08B935EBAFB9032A.exe"
        8⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        9⤵
        Runs ping.exe
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\k42a4i0zb2uk\aliens.exe"
        7⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        8⤵
        Runs ping.exe
        
        PID:3216
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\jg2_2qua.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\jg2_2qua.exe"
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      PID:3520
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\file1.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file1.exe"
      4⤵
      PID:740

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:752
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CEF0D0A71DC4685ED70D5D4C23A34F1D C
  2⤵
  - Loads dropped DLL
  PID:3692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/500-83-0x00000000055E0000-0x0000000005A91000-memory.dmp

Filesize
4.7MB

Download
memory/500-73-0x0000000072A40000-0x0000000072AD3000-memory.dmp

Filesize
588KB

Download
memory/740-108-0x0000000000AC0000-0x0000000000ACD000-memory.dmp

Filesize
52KB

Download
memory/908-56-0x0000000010E93000-0x0000000010E94000-memory.dmp

Filesize
4KB

Download
memory/908-45-0x0000000010E90000-0x0000000010E91000-memory.dmp

Filesize
4KB

Download
memory/908-55-0x0000000010E91000-0x0000000010E92000-memory.dmp

Filesize
4KB

Download
memory/908-42-0x0000000072A40000-0x0000000072AD3000-memory.dmp

Filesize
588KB

Download
memory/908-57-0x0000000010E94000-0x0000000010E96000-memory.dmp

Filesize
8KB

Download
memory/908-58-0x0000000010E96000-0x0000000010E97000-memory.dmp

Filesize
4KB

Download
memory/908-50-0x0000000010CB0000-0x0000000010CB1000-memory.dmp

Filesize
4KB

Download
memory/908-48-0x000000000EB40000-0x000000000EB41000-memory.dmp

Filesize
4KB

Download
memory/908-44-0x0000000071420000-0x0000000071B0E000-memory.dmp

Filesize
6.9MB

Download
memory/1596-87-0x00007FFBA1150000-0x00007FFBA11CE000-memory.dmp

Filesize
504KB

Download
memory/1596-89-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/1596-90-0x000002990B070000-0x000002990B071000-memory.dmp

Filesize
4KB

Download
memory/2200-106-0x0000000072A40000-0x0000000072AD3000-memory.dmp

Filesize
588KB

Download
memory/2724-29-0x0000000010000000-0x00000000100E4000-memory.dmp

Filesize
912KB

Download
memory/2800-30-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2800-34-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/3108-54-0x0000000072A40000-0x0000000072AD3000-memory.dmp

Filesize
588KB

Download
memory/3132-94-0x0000000072A40000-0x0000000072AD3000-memory.dmp

Filesize
588KB

Download
memory/3576-37-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/3576-33-0x0000000002BC0000-0x0000000002D5C000-memory.dmp

Filesize
1.6MB

Download
memory/3576-38-0x0000000000BE0000-0x0000000000BFB000-memory.dmp

Filesize
108KB

Download
memory/3576-36-0x0000000003500000-0x00000000035EF000-memory.dmp

Filesize
956KB

Download
memory/3584-2-0x0000000003710000-0x0000000003711000-memory.dmp

Filesize
4KB

Download
memory/3588-84-0x0000000005630000-0x0000000005AE1000-memory.dmp

Filesize
4.7MB

Download
memory/3588-75-0x0000000072A40000-0x0000000072AD3000-memory.dmp

Filesize
588KB

Download
memory/3656-66-0x0000000010000000-0x000000001033D000-memory.dmp

Filesize
3.2MB

Download
memory/3656-62-0x0000000072A40000-0x0000000072AD3000-memory.dmp

Filesize
588KB

Download
memory/3712-101-0x00007FFBA1150000-0x00007FFBA11CE000-memory.dmp

Filesize
504KB

Download
memory/3712-109-0x0000019F50B80000-0x0000019F50B81000-memory.dmp

Filesize
4KB

Download